As technological innovation continues to evolve, so do the nature and severity of cybersecurity threats. This makes robust information security controls and risk assessment high priorities for organizations that handle sensitive data and assets. 

For the U.S. Department of Defense (DOD) and other federal government agencies — and the contractors working for those agencies — continuous monitoring of information systems and risk mitigation is crucial.

The Assessment and Authorization (A&A) process, also referred to as Certification and Accreditation (C&A), relevant standards, compliance, and regulations can provide federal agency stakeholders the protection they need to maintain a strong security posture.

What is A&A in cybersecurity?

As it relates to cybersecurity, Assessment and Authorization (A&A) is a comprehensive evaluation of an organization’s information system policies, security controls, policies around safeguards, and documented vulnerabilities.

The purpose of the A&A process is to evaluate the effectiveness and implementation of an organization’s security requirements. That includes the organization’s own policies as well as any external compliance requirements the organization is responsible for upholding.

The A&A evaluation is then confirmed through a formal authorization package reviewed by an Authorizing Official (AO). The organization then receives an information system accreditation as either:

  • An Authorization to Operate (ATO) 
  • An ATO with conditions, or 
  • A denial of authorization to operate

What’s the difference between a security assessment and a vulnerability assessment?

The world of compliance uses numerous terms to describe cybersecurity best practices, some of which sound quite similar. And while “security assessment” and “vulnerability assessment” do overlap, it’s important to understand their differences. 

A vulnerability assessment is one portion of a security assessment. It identifies, quantifies, and prioritizes the vulnerabilities in a system at a given moment in time.  

A security assessment, on the other hand, is more comprehensive. It requires manual investigation and assessment of both current and potential future vulnerabilities. 

When should A&A be performed?

According to the Federal Information Security Modernization Act (FISMA), federal agencies are required to create, document, and execute agency-wide programs that provide information security for their systems as well as for those provided or managed by a third-party.

The National Institute of Standards and Technology (NIST) Risk Management Framework Special Publication 800-37 provides the standards by which those efforts — that is, the A&A process — should be judged. 

NIST 800-37 dictates that this authorization process must occur before the agency begins production of its government contract and that authorization must be reassessed every five years.

What is a Risk Management Framework (RMF)?

The Risk Management Framework is a U.S. federal government standard that outlines how federal agencies should implement protocols to secure their information systems. As we mentioned earlier, NIST developed the RMF.

What is the authorization process?

The Department of Interior’s (DOI) Office of the Chief Information Officer (OCIO) determines the authorization methodology and also administers the RMF A&A accreditation process. The process occurs in the following phases. 

Initiation Phase

In the Initiation Phase, the OCIO analyzes the organization’s information security documentation. The goal is to ensure that the AO and the organization’s chief information security officer (CISO) agree on the terms of the company’s System Security Plan (SSP). 

Some of the documentation that might be reviewed include:

  • System Security Categorization Federal Information Processing Standards (FIPS) 199
  • Contingency/Disaster Recovery (CP/DR) Plan
  • Documented Risk Assessment

Assessment Phase

In the Assessment Phase, a comprehensive review of information security controls and remediation tactics is conducted to confirm proper implementation and optimal operation as stated in the organization’s SSP. 

Some of the activities that can occur during this phase include: 

  • Security Test and Evaluation Plan
  • Security Assessment Report
  • Plan of Action and Milestones (POA&M)

Authorization Phase   

During this final phase, the ATO will be determined by a senior agency official. This decision will grant the organization the authority to operate its information systems and indicates the acceptance of risk to agency operations, assets, and individuals.

What’s the difference between an authorization and an approval?

A&A approval is an informal acceptance of the security and privacy controls for IT systems administered by an organization. 

In contrast, a security authorization is the formal approval and documented acceptance from the OCIO that a federal agency, and its contracting partners, are required to obtain and maintain to operate their business legally. 

How can I manage the A&A process?

Failing to prepare for the A&A can result in lost revenue for a business as you’re excluded from bidding on and managing government contracts. The stakes here are far too high to manage the process manually with spreadsheets. 

ZenGRC is a governance, risk, and compliance tool that allows organizations to automate much of compliance management, organize all of their documentation, and understand their compliance stance at any time, across multiple frameworks.

For government contractors that are likely responsible for achieving multiple certifications, like CMMC compliance, for example, the ZenGRC dashboard can provide a “single source of truth” that gives you a baseline, identifies your compliance gaps, and tells you how to fill them.

When it’s time to hire an assessor to ensure you’re ready for the A&A process, ZenGRC can help you to save time and money by providing all of your documentation in an easy-to-use format that’s ready for audit at any time.

ZenGRC will also continue to monitor compliance long after authorization, ensuring that you’re never caught off-guard at any point during the lifecycle of your compliance standards.

To see ZenGRC in action, contact us today for a free demo.